HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

MSR 20-40 SSL VPN

 
AlekseiZjabkin
Occasional Visitor

MSR 20-40 SSL VPN

Hi everyone!

 

I have a problem with the ssl certificate on MSR 20-40 router.

 

We have CA server. Router receives CA cert and then creates it's own cert based on CA cert.

 

Router tells that everything ok, but when I'm trying to open the ssl vpn page on a router Mozilla tells me : "sec_error_inadequate_cert_type".

IE tells nothing, it just don't open this page.

 

And this is not strange, because i found in routers local certificate "certificate purpose" > IPSEC IKE intermediate.

 

I just don't have any ideas about how to fix this problem.

 

Please HELP!

 

Regards,

 

Aleksei

1 REPLY
maglaubig
Occasional Visitor

Re: MSR 20-40 SSL VPN

A device can't create its own cert based on a CA cert unless you were referencing generating a CSR, sending to the CA and then importing the CA's certificate.  I'm assuming this is what you did for the remainder of this post.

 

The purpose of the certificate is not adequate for use with SSL, that certificate purpose is to be used as an IKE intermediate.  The client device accessing is responsible for verifying both the validity of the certificate and the intended purpose of the certificate.  Depending on the browser client security settings it will or won't display certain types of errors as you've discovered.

 

It doesn't sound like you're having a name mismatch as in the Subject Name of the certificate matches up with the FQDN or IP address of the certificate you had issued.  You'd get a certificate warning in this case, but it should at least still work if you bypass the warning.  This appears to be that the certficate generated is just not enough to be used to provide SSL service.

 

The certficate you're using should have a purpose of Digital Signature, Key Encipherment and Server/Client Authentication.  If you're using a Windows based CA, the default web server template should provide these purposes for the certificate that is generated.